Reddit review puts some teeth into “Aaron’s Law”

Bill would change computer fraud law to prevent a Swartz-like prosecution.

Shortly after the suicide of Internet entrepreneur and activist Aaron Swartz, Silicon Valley lawmaker Zoe Lofgren proposed "Aaron's Law." The bill aims to reform the Computer Fraud and Abuse Act (CFAA), the law under which Swartz was prosecuted for mass-downloading academic documents from MIT's network. Swartz's family has blamed the government prosecution for contributing to his death.

Lofgren submitted a draft of the bill to be reviewed on reddit. After its online critique, a revised version of the bill was published today, with more far-reaching reforms.

The CFAA forbids "unauthorized access" to computer networks, and the older version of Lofgren's reform bill would have simply changed the wording of the law so that nobody could be prosecuted under CFAA if all they had done is violate terms of service.

But CFAA prosecutions, including the one against Aaron Swartz, often involve something more serious than mere TOS violations.

The new version defines unauthorized access as "the circumvention of technological access barriers," which leaves a much narrower scope for prosecution. It also specifies that changing one's MAC or IP address does not violate CFAA or the wire fraud statute. It's pretty clear that Swartz, who was authorized to be on the MIT network, wouldn't be prosecutable under the new law.

Other recent CFAA prosecutions, like the one against Internet troll "weev," might not have been possible under the revised law, either. Weev arguably didn't "circumvent one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering that information," which is what is required under the language of the revised bill [PDF].

The bill could be introduced as early as next week, when the House is back in session. As Lofgren explained in a reddit discussion, though, it's a long process. First she'll have to urge her colleagues to become "original cosponsors" of the bill and then encourage the Judiciary Committee Chairperson (Rep. Bob Goodlatte of Virginia) to bring the bill up for a hearing or a vote. "Sustain[ing] public support throughout that process is important for the bill to continue advancing," wrote Lofgren.

This is pure stupid. Even with this new law in place, he would have been prosecuted for something else. The proper move would have been reduction in penalties that would require the harmed party to prove the level of damages involved.

This is pure stupid. Even with this new law in place, he would have been prosecuted for something else. The proper move would have been reduction in penalties that would require the harmed party to prove the level of damages involved.

That's along the line of what I've been thinking. However, what the prosecutors did is pretty common, scare the guy with tons of charges and get him to bargain down to a slap on the wrist. I've worked in the judicial system, I've seen it quite a bit. Chances are that is what was going on.

To me, in the end this is simply a guy with some pretty serious mental health issues broke a law, got caught and charged, then succumbed to the pressure and killed himself. I know it's easy to blame the prosecutors, but Aaron knew he shouldn't have done what he did. He took the risk and paid the price.

This is pure stupid. Even with this new law in place, he would have been prosecuted for something else. The proper move would have been reduction in penalties that would require the harmed party to prove the level of damages involved.

Even better would be to do both.

Narrow the scope, *and* make it so that penalties are commensurate with the level of damages.

The penalties ARE commensurate with the level of damages, which everyone and their brother who actually understands anything about the legal system has explained.

Fifty years is the MAXIMUM SENTENCE. Had he brken in and, say, deleted the entire database, he might have gotten closer to the MAXIMUM SENTENCE. Instead, he broke in and scraped a bit. As such, his jail sentence was likely to be under a year.

The penalties ARE commensurate with the level of damages, which everyone and their brother who actually understands anything about the legal system has explained.

Fifty years is the MAXIMUM SENTENCE. Had he brken in and, say, deleted the entire database, he might have gotten closer to the MAXIMUM SENTENCE. Instead, he broke in and scraped a bit. As such, his jail sentence was likely to be under a year.

How can you say, on the one hand, that the penalties are commensurate with the level of damages, and on the other hand justify those penalties with things that didn't happen. Yeah, he could have broken in and deleted the entire database. He also could've broken in and murdered forty people, but since he didn't do that, why would you support charging him as though he did?

The punishment should fit the crime. Not the potential for what the crime might have been but wasn't. The actual crime committed.

The penalties ARE commensurate with the level of damages, which everyone and their brother who actually understands anything about the legal system has explained.

Fifty years is the MAXIMUM SENTENCE. Had he brken in and, say, deleted the entire database, he might have gotten closer to the MAXIMUM SENTENCE. Instead, he broke in and scraped a bit. As such, his jail sentence was likely to be under a year.

So nice of you to assume (wrongly) that I'm one of the people who don't understand that he never would have received anything close to the maximum possible sentence. There was nothing in my post to lead you to that assumption.

For what he actually did, a suspended sentence, possibly with community service, should have been the absolute maximum penalty that he faced.

IMO, any amount of jail time would have been too harsh a penalty for his actions.

Punishing changing IP and MAC address is impossible to enforce, just using a VM with NAT connection has your machine would make you guilty.

Every time I read this argument I want to eat my hat. This is such a straw man it gives me a hunger to eat my clothing.

Just because something is technically possible in one environment does not make the act in every environment legal. It's well documented that Aaron wasn't running a VM and that his MAC address changing was in fact to regain access after MIT attempted to block his access. I don't understand what's so difficult about this. Has no one run a DHCP server and had to either white or black list machines before? Has no one ever had to setup reservations before on their home router?

Yes, I get it - MAC addresses are not unique identifiers anymore. Yes, they should not be used for security. Yes, it shouldn't be illegal to change your MAC address.

But will everyone please stop telling me that just because dynamic MAC addressing exists in virtual environments means that all MAC address changing is 100% benign because you just have your head in the stand on how a lot of current systems handle such access.

The penalties ARE commensurate with the level of damages, which everyone and their brother who actually understands anything about the legal system has explained.

Fifty years is the MAXIMUM SENTENCE. Had he brken in and, say, deleted the entire database, he might have gotten closer to the MAXIMUM SENTENCE. Instead, he broke in and scraped a bit. As such, his jail sentence was likely to be under a year.

How can you say, on the one hand, that the penalties are commensurate with the level of damages, and on the other hand justify those penalties with things that didn't happen. Yeah, he could have broken in and deleted the entire database. He also could've broken in and murdered forty people, but since he didn't do that, why would you support charging him as though he did?

The punishment should fit the crime. Not the potential for what the crime might have been but wasn't. The actual crime committed.

They didn't charge him as thought he murdered 40 people. Unless you know something about the indictment that I don't know.

I wonder what people would have thought if he had walked into the American Express offices with his laptop, gone into an unlocked network closet, connected to their intranet and proceeded to download 300K people's credit card information. What if he walked into your doctor's office, downloaded your medical records and published those online? The only thing I see different in what Swartz did was that the information he accessed wasn't personal information, but the actions he took were the same, and they were illegal. We start changing the law based on this one circumstance where fortunately there was little significant damage done to anyone, we're going to be faced with circumstances that very smart black hat hackers are going to use those openings to do some very serious damage.

Because he's not authorized to be at AmEx' offices accessing personal, files, or the doctor's office.

He _was_ authorized to be on MIT's network. He was even authorized to access the documents he did.

He wasn't authorized to be in the comm closet, and a few other fillips, but the basis of your comparison is completely invalid.

How can you say, on the one hand, that the penalties are commensurate with the level of damages, and on the other hand justify those penalties with things that didn't happen. Yeah, he could have broken in and deleted the entire database. He also could've broken in and murdered forty people, but since he didn't do that, why would you support charging him as though he did?

The punishment should fit the crime. Not the potential for what the crime might have been but wasn't. The actual crime committed.

The punishment fits the crime.

You just don't understand how the US legal system works.

There's something called sentencing guidelines. Look them up. They're how sentences are determined.

The maximum is just that - the maximum. Battery, for instance, can be anything from punching someone in the arm to giving someone a brutal beatdown. Does that mean that they're punished the same? No. But its still the same offense (hitting someone).

Quote:

For what he actually did, a suspended sentence, possibly with community service, should have been the absolute maximum penalty that he faced.

IMO, any amount of jail time would have been too harsh a penalty for his actions.

If you do 10K worth of damage, you deserve to spend some time in jail. Period.

And this was not the first time he did something like this; he pulled a similar stunt with PACER, but wasn't charged.

Boskone wrote:

He _was_ authorized to be on MIT's network. He was even authorized to access the documents he did.

No he wasn't. He was banned from the network. Repeatedly.

Why are you lying?

Is it because you think if you say it often enough people will believe it is true?

I and many other would had free access to PACER by now if not for Aaron Swartz's showboating that resulted in the shutdown of GPO/PACER trial. The access to PACER is actually worse off if the trial had continued and expanded to every FDLP sites as originally scheduled. And all SCCLL-SIS location after that.

If they can get this passed, Swartz can make up for his shenanigans and restore the status to who it could had been.

I and many other would had free access to PACER by now if not for Aaron Swartz's showboating that resulted in the shutdown of GPO/PACER trial. The access to PACER is actually worse off if the trial had continued and expanded to every FDLP sites as originally scheduled. And all SCCLL-SIS location after that.

If they can get this passed, Swartz can make up for his shenanigans and restore the status to who it could had been.

Not really if they pass this having something like MITs free WIFI that Swartz used too costly to lock down properly. So lots of nice free things might be shut down.

Not really if they pass this having something like MITs free WIFI that Swartz used too costly to lock down properly. So lots of nice free things might be shut down.

Let's just say that I know many people who were devastated by his show-boating that ruined efforts by hundreds of hardworking people. "No good deeds goes unpunished" had became the motto of my contacts at GPO.

The issue with Open PACER is that, do we fund the judicial system with general funds. Or since so many people hold litigants in such ill-repute, that we are allowing the judicial system to become almost completely litigants funded through user fees like filing fees and PACER access fees.

Punishing changing IP and MAC address is impossible to enforce, just using a VM with NAT connection has your machine would make you guilty.

Every time I read this argument I want to eat my hat. This is such a straw man it gives me a hunger to eat my clothing.

Just because something is technically possible in one environment does not make the act in every environment legal. It's well documented that Aaron wasn't running a VM and that his MAC address changing was in fact to regain access after MIT attempted to block his access. I don't understand what's so difficult about this. Has no one run a DHCP server and had to either white or black list machines before? Has no one ever had to setup reservations before on their home router?

Yes, I get it - MAC addresses are not unique identifiers anymore. Yes, they should not be used for security. Yes, it shouldn't be illegal to change your MAC address.

But will everyone please stop telling me that just because dynamic MAC addressing exists in virtual environments means that all MAC address changing is 100% benign because you just have your head in the stand on how a lot of current systems handle such access.

You do know the guy I was replying to is asking for it to be prosecution charge, in other word to be a crime in itself, so why are you ranting at me already ?

Making something not been a crime doesn't mean it cannot be an element used in building a dossier, which in the case of the element we are talking about, could be part of a proof of intention to commit a crime.

For example if you buy go buy an axe, is it a crime in itself ? I think not, but if in the week following the purchase you kill someone with it, I am pretty sure, it make a damn good proof of premeditation.

I wonder what people would have thought if he had walked into the American Express offices with his laptop, gone into an unlocked network closet, connected to their intranet and proceeded to download 300K people's credit card information. What if he walked into your doctor's office, downloaded your medical records and published those online? The only thing I see different in what Swartz did was that the information he accessed wasn't personal information, but the actions he took were the same, and they were illegal. We start changing the law based on this one circumstance where fortunately there was little significant damage done to anyone, we're going to be faced with circumstances that very smart black hat hackers are going to use those openings to do some very serious damage.

Because he's not authorized to be at AmEx' offices accessing personal, files, or the doctor's office.

He _was_ authorized to be on MIT's network. He was even authorized to access the documents he did.

He wasn't authorized to be in the comm closet, and a few other fillips, but the basis of your comparison is completely invalid.

"The use of MIT's IT resources is restricted to Institute business and incidental personal use. Incidental personal use may not interfere with MIT work, nor may it result in additional direct cost to MIT. MIT's computers and other IT resources must be used in a manner consistent with MIT’s status as a non-profit organization, and so, for example, cannot be used for the benefit of personal businesses or other organizations unless permitted by MIT policy (for example, permitted under [url=http://web.mit.edu/policies/4/4.5.htmlSection 4.5 Outside Professional Activities[/url]) or otherwise authorized."

Downloading a few articles is incidental. Trying to download all 4.5 million of them is not.

Even under the most liberal interpretation of incidental personal use, Swartz' actions still broke the rules because it interfered with MIT's work once it led to JSTOR suspending their access. As he was operating under his own personal agenda, he also violated their restrictions on using their network for his personal benefit.

His actions were completely unethical and violated the trust that MIT had in users that they would abuse their system. As for whether it's illegal, if you check the [url=http://ist.mit.edu/network/rules]IST[/url] page that also discusses the rules, they lay it out clearly: "All network users are expected to follow these rules. Violations of the rules can subject the offender to Institute disciplinary proceedings, loss of network privilidges(sic), and, in some cases, civil or criminal prosecution."

I wonder what people would have thought if he had walked into the American Express offices with his laptop, gone into an unlocked network closet, connected to their intranet and proceeded to download 300K people's credit card information. What if he walked into your doctor's office, downloaded your medical records and published those online? The only thing I see different in what Swartz did was that the information he accessed wasn't personal information, but the actions he took were the same, and they were illegal. We start changing the law based on this one circumstance where fortunately there was little significant damage done to anyone, we're going to be faced with circumstances that very smart black hat hackers are going to use those openings to do some very serious damage.

Because he's not authorized to be at AmEx' offices accessing personal, files, or the doctor's office.

He _was_ authorized to be on MIT's network. He was even authorized to access the documents he did.

He wasn't authorized to be in the comm closet, and a few other fillips, but the basis of your comparison is completely invalid.

"The use of MIT's IT resources is restricted to Institute business and incidental personal use. Incidental personal use may not interfere with MIT work, nor may it result in additional direct cost to MIT. MIT's computers and other IT resources must be used in a manner consistent with MIT’s status as a non-profit organization, and so, for example, cannot be used for the benefit of personal businesses or other organizations unless permitted by MIT policy (for example, permitted under [url=http://web.mit.edu/policies/4/4.5.htmlSection 4.5 Outside Professional Activities[/url]) or otherwise authorized."

Downloading a few articles is incidental. Trying to download all 4.5 million of them is not.

Even under the most liberal interpretation of incidental personal use, Swartz' actions still broke the rules because it interfered with MIT's work once it led to JSTOR suspending their access. As he was operating under his own personal agenda, he also violated their restrictions on using their network for his personal benefit.

His actions were completely unethical and violated the trust that MIT had in users that they would abuse their system. As for whether it's illegal, if you check the [url=http://ist.mit.edu/network/rules]IST[/url] page that also discusses the rules, they lay it out clearly: "All network users are expected to follow these rules. Violations of the rules can subject the offender to Institute disciplinary proceedings, loss of network privilidges(sic), and, in some cases, civil or criminal prosecution."

Funny. That bit you quoted does not explicitly forbid what he did. It's literally meaningless (as in, the written words convey no meaning of significance) and basically just sets up a retroactive catch-all in legalese (i.e. it's basically "we reserve the right to decide what's appropriate use", just not in standard boilerplate).

I wonder what people would have thought if he had walked into the American Express offices with his laptop, gone into an unlocked network closet, connected to their intranet and proceeded to download 300K people's credit card information. What if he walked into your doctor's office, downloaded your medical records and published those online? The only thing I see different in what Swartz did was that the information he accessed wasn't personal information, but the actions he took were the same, and they were illegal. We start changing the law based on this one circumstance where fortunately there was little significant damage done to anyone, we're going to be faced with circumstances that very smart black hat hackers are going to use those openings to do some very serious damage.

Let's imagine a slightly different scenarioLet's say I broke into an abandoned stone quarry, set up some targets, and practiced shooting them with a rifle. Let's assume I got caught and charged with trespassing and illegally discharging a firearm on private property. Let's assume they threaten to charge me with the maximum possible sentence for mass murder to scare me into a plea bargain, even though it's unlikely that such a sentence would be passed

I mean, what if it had been a doctor's office instead of a stone quarry, and instead of inanimate targets, I was shooting at doctors and patients. The actions I took were the same (pointing a gun and pulling the trigger), and they were illegal. We start changing the law based on this one circumstance where fortunately there was little damage done to anyone, we're going to be faced with circumstances that very violent mass murderers are going to use those openings to do some very serious damage

My point here is that the "same actions" can (and should) be considered totally different crimes (or not crimes at all) based on the circumstances, and the harm that results from taking those actions in those circumstances. If I go target shooting at a legal gun range, it's not a crime. If I go target shooting in an abandoned quarry, its a relatively minor crime. If I go target shooting at people in a doctor's office, its a really serious crime, yet in all cases the action performed is pointing a gun and pulling the trigger. The difference is circumstances, and harm caused. To ignore those differences, treat all three cases as the same type of crime, and leave it up to the judge and jury to decide the sentence from a range wide enough to accomodate all three cases is simply absurd, but that's basically the way the law treats unauthorized computer access

I wonder what people would have thought if he had walked into the American Express offices with his laptop, gone into an unlocked network closet, connected to their intranet and proceeded to download 300K people's credit card information. What if he walked into your doctor's office, downloaded your medical records and published those online? The only thing I see different in what Swartz did was that the information he accessed wasn't personal information, but the actions he took were the same, and they were illegal. We start changing the law based on this one circumstance where fortunately there was little significant damage done to anyone, we're going to be faced with circumstances that very smart black hat hackers are going to use those openings to do some very serious damage.

Because he's not authorized to be at AmEx' offices accessing personal, files, or the doctor's office.

He _was_ authorized to be on MIT's network. He was even authorized to access the documents he did.

He wasn't authorized to be in the comm closet, and a few other fillips, but the basis of your comparison is completely invalid.

He wasn't authorized to use MITs network in that manner. They repeatedly tried to block him from their network and he worked around the blocks in various ways.

He was not authorized to access the documents in that manner. They repeatedly tried to block him from scraping their site and he worked around the blocks in various ways.

That's the whole point. He was not authorized to do those things, and worked his way around the systems they used to try to stop him.

I wonder what people would have thought if he had walked into the American Express offices with his laptop, gone into an unlocked network closet, connected to their intranet and proceeded to download 300K people's credit card information. What if he walked into your doctor's office, downloaded your medical records and published those online? The only thing I see different in what Swartz did was that the information he accessed wasn't personal information, but the actions he took were the same, and they were illegal. We start changing the law based on this one circumstance where fortunately there was little significant damage done to anyone, we're going to be faced with circumstances that very smart black hat hackers are going to use those openings to do some very serious damage.

Let's imagine a slightly different scenarioLet's say I broke into an abandoned stone quarry, set up some targets, and practiced shooting them with a rifle. Let's assume I got caught and charged with trespassing and illegally discharging a firearm on private property. Let's assume they threaten to charge me with the maximum possible sentence for mass murder to scare me into a plea bargain, even though it's unlikely that such a sentence would be passed

I mean, what if it had been a doctor's office instead of a stone quarry, and instead of inanimate targets, I was shooting at doctors and patients. The actions I took were the same (pointing a gun and pulling the trigger), and they were illegal. We start changing the law based on this one circumstance where fortunately there was little damage done to anyone, we're going to be faced with circumstances that very violent mass murderers are going to use those openings to do some very serious damage

My point here is that the "same actions" can (and should) be considered totally different crimes (or not crimes at all) based on the circumstances, and the harm that results from taking those actions in those circumstances. If I go target shooting at a legal gun range, it's not a crime. If I go target shooting in an abandoned quarry, its a relatively minor crime. If I go target shooting at people in a doctor's office, its a really serious crime, yet in all cases the action performed is pointing a gun and pulling the trigger. The difference is circumstances, and harm caused. To ignore those differences, treat all three cases as the same type of crime, and leave it up to the judge and jury to decide the sentence from a range wide enough to accomodate all three cases is simply absurd, but that's basically the way the law treats unauthorized computer access

-Kasoroth

It's absurd to leave it up to a judge a jury to decide what your crime is? What world do you live in?

And they didn't charge him with the equivalent of mass murder. Some crimes are defined broadly. When you commit one of those crimes, you are charged with the crime and then the judge applies the sentencing guidelines to your case. The possible sentence can vary widely. Just because there is a large maximum sentence, does not mean that you are in any danger of being given that sentence, unless the crime you committed warrants it. For the millionth time, Aaron was offered 0 months in prison. He only had to accept a felony conviction. You may disagree that he should have a felony conviction for that, but that is hardly the same as being charged for mass murder just for target shooting.

But by all means, don't let facts and logic get in the way of your rant.

Funny. That bit you quoted does not explicitly forbid what he did. It's literally meaningless (as in, the written words convey no meaning of significance) and basically just sets up a retroactive catch-all in legalese (i.e. it's basically "we reserve the right to decide what's appropriate use", just not in standard boilerplate).

IANAL, but that's how I see it.

How is attempting to download the entire JSTOR database not forbidden? That act alone is a violation of JSTOR's Terms and Conditions of Use(5d), and makes his use of their network unethical.

Using their networks to violate the terms and conditions of a service provided to the Institute for use by its students is simply not appropriate.

I'm not a lawyer either, but you don't need to be one to see what he was doing was wrong, no matter how you spin it.

Nice to see that the same armchair lawyers (and now ethicists too) are holding the line. With minds of pure iron they have judged Aaron Swartz a danger to society, deserving of persecution and prosecution... nuance be damned... disagree and ye shall be similarly judged a troll by this most vocal minority.

Funny. That bit you quoted does not explicitly forbid what he did. It's literally meaningless (as in, the written words convey no meaning of significance) and basically just sets up a retroactive catch-all in legalese (i.e. it's basically "we reserve the right to decide what's appropriate use", just not in standard boilerplate).

IANAL, but that's how I see it.

Laws against murder do not specifically prohibit you from removing all the oxygen from someone's house overnight so that they suffocate to death in their sleep.

The entire purpose of writing rules broadly is to prevent circumvention.

Its a basic principle of any sort of rule making, legal or otherwise.

You don't say "No purple dragons, no pink dragons, no blue dragons." You say "No dragons." Or better yet, "no mythological animals". You write it in such a broad fashion so as to exclude all the possibilities that should be barred regardless of how they are done.

HalationEffect wrote:

Who exactly suffered 10K worth of damage? I hope you don't mean JSTOR, because they thought what he'd done wasn't sufficiently problematic for them to even want to press charges.

MIT. Loss of access to JSTOR + the effort they spent banning him + the effort they spent tracking him down.

Any damage done while preventing you from committing a crime is damage you yourself did, unless it is wholly unreasonable. What they did was not disproportionate.

Quote:

Let's say I broke into an abandoned stone quarry, set up some targets, and practiced shooting them with a rifle. Let's assume I got caught and charged with trespassing and illegally discharging a firearm on private property. Let's assume they threaten to charge me with the maximum possible sentence for mass murder to scare me into a plea bargain, even though it's unlikely that such a sentence would be passed

Strawman argument. If you believe this to be comparable, you are engaging in massive rationalization. If you don't, you're a liar and propagandist.

He was charged with crimes that he eminently committed. There's no doubt that he committed any of the crimes in question. If you go out and shoot targets, you are not committing mass murder, or murder of any sort. Indeed, unless you did five thousand dollars worth of damage, you couldn't even be charged with arson. You'd be charged with illegally discharging a firearm and tresspassing and possibly reckless endangerment.

The idea that this is even comparable is either propaganda (strawman argument) or severe, severe rationalization on your part.

So which is it? Are you lying to us, or are you lying to yourself?

Because it is eminently clear that you are, in fact, lying.

His crime was unauthorized access. Did he do this? Yes. Is there any DOUBT he did this? No.

Yes. He did something deserving of a severe talking to by the staff of the library. Perhaps it was necessary to call in some authorities when the PC was discovered, in case it was part of an attempt to do something illegal, like access confidential information, or as part of some industrial espionage.

But when the facts came out, the cops should have said "Preserve me from all geeks" and left. Indeed, that is what, from what I hear anyway, the investigating police recommended, until a headline-seeking prosecutor decided to make an example if him and a fool of herself.

Who exactly suffered 10K worth of damage? I hope you don't mean JSTOR, because they thought what he'd done wasn't sufficiently problematic for them to even want to press charges.

MIT. Loss of access to JSTOR + the effort they spent banning him + the effort they spent tracking him down.

Any damage done while preventing you from committing a crime is damage you yourself did, unless it is wholly unreasonable. What they did was not disproportionate.

Hmm. Got a source for that 10k figure? It just seems a bit inflated to me.

Besides, even if that figure is accurate and reasonable, Swartz had the means (before legal fees drained his funds) to simply compensate them for that sum, so I still don't see that prison time was the only recourse. So I'll modify my earlier suggestion, and say that a suspended sentence + community service + compensating MIT should have been a more than sufficient penalty for him.

Yes. He did something deserving of a severe talking to by the staff of the library. Perhaps it was necessary to call in some authorities when the PC was discovered, in case it was part of an attempt to do something illegal, like access confidential information, or as part of some industrial espionage.

But when the facts came out, the cops should have said "Preserve me from all geeks" and left. Indeed, that is what, from what I hear anyway, the investigating police recommended, until a headline-seeking prosecutor decided to make an example if him and a fool of herself.

CFAA was a power-grab from the government, aided and abetted by congressmen wanting to show off their "hacker-fighting seriousness" on the Sunday talk-shows. It is as directed (and effective) as fishing with a stick of dynamite.

Hackers in the 80's were a prime example of the politics of fear: terrify the people with an ill-defined, strange, all-powerful Other, and grab power to "protect the people".

Changing the law that was involved with the Swartz case would be the most effective way to alter the severity of prosecutions involved with similar situations.

Without a change in the law, imo it is wishful thinking to believe that prosecutors would decide to not to pursue these cases. Also, the victim of the crime has an affect. At some point in the case a plea bargain with no prison sentence seems to have been agreed to between Swartz' defense lawyer and the prosecution. But MIT woud not agree.

The process of introducing a bill in Congress should give an opportunity to review the pros and cons of changing the the Computer Fraud and Abuse Act.

I wonder what people would have thought if he had walked into the American Express offices with his laptop, gone into an unlocked network closet, connected to their intranet and proceeded to download 300K people's credit card information. What if he walked into your doctor's office, downloaded your medical records and published those online? The only thing I see different in what Swartz did was that the information he accessed wasn't personal information, but the actions he took were the same, and they were illegal. We start changing the law based on this one circumstance where fortunately there was little significant damage done to anyone, we're going to be faced with circumstances that very smart black hat hackers are going to use those openings to do some very serious damage.

If these records are accessible with just a spoofed MAC address, the problem lies with American Express and the doctor's office. All of the above information should be encrypted. It's not even unreasonable to state that there are legal requirements for a certain strength encryption for such records (and there very well might be for all I know). This would also mean that anybody who did access these records to break the encryption, which would be an actual "circumvention of technological access barriers" and still be covered by the law. It's also ignoring that other laws can and do exist. Let's say that AmEx and your doctor are morons, and they have the information available at Amex.com/ccinfo . If a law exists that states that the publication or trading of other people's CC info is illegal, than they can be tried under that law. It's better to have the law be too narrow than the law be to broad. It's the exact same principle of our justice system, which is designed to (in theory) be much more likely to let the guilty go than have innocents unjustly punished.

Yes. He did something deserving of a severe talking to by the staff of the library. Perhaps it was necessary to call in some authorities when the PC was discovered, in case it was part of an attempt to do something illegal, like access confidential information, or as part of some industrial espionage.

But when the facts came out, the cops should have said "Preserve me from all geeks" and left. Indeed, that is what, from what I hear anyway, the investigating police recommended, until a headline-seeking prosecutor decided to make an example if him and a fool of herself.

What makes him so entitled to such preferential treatment?

Nothing. Everyone who engages in what he did should be treated in the same manner as robbak has suggested. It is not the person who deserves this kind of treatment, it is the crime itself.